Problem setting up second gateway to other router (solved)

conehead

Hi,
I have the following situation:

current network setup range: 10.0.10.0/23 with every pc connected to a cisco router with gateway 10.0.10.253

Now we have a second internet connection that i want to use for wireless clients (vlan 50 and 60 and also a voice network). Vlan 60: for visitors (only internet access), vlan 50 for person who may contact our network.
i gave the pfsense box an ip of 10.0.10.247 so it is connected in the range of the current lan with a totally different gateway.

What i would like to achieve: people from the vlan 50: shoud be able to contact the 10.0.10.0 range and also the 10.0.0.0 /23 range.

For this: i created a second gateway on the lan side (10.0.10.253: cisco switch who makes the connection to the 10.0.0.0/23 range. I also added a static route to the new gateway.

Result:
from pfsense i can ping the 10.0.0.0/23 range but the clients from vlan 50 are unable to ping the 10.0.10.0 and 10.0.0.0 range so i guess i am missing something in the rules, tried serveral things but nothing seems to work.
every client on the vlan can reach the internet but from vlan 50 the link to 10.0.0. and 10.0.10.0 is not working

Any ideas

link to pdf with screenshots:
https://www.dropbox.com/s/buhfcxjctzyrejj/pfsense%20probs.pdf?dl=0

johnpoz

Look at your firewall rules for vlan50  – you have a rule that looks ok vlan50 can go anywhere..  Did you really need a 30 character name for your vlan 50??  Anyway you allow it to go anywhere with that first rule, then you say it can talk to pfsense vlan50 interface (pointless) then you say it can talk to servers??  Since the first rule says it can talk anywhere it wants.. that rule is pointless no matter what is in the alias.

Then you create a rule that says can not talk to rfc1918, all of your networks are rfc1918??  So you don't want vlan 50 to your other networks? Then why this

"people from the vlan 50: shoud be able to contact the 10.0.10.0 range and also the 10.0.0.0 /23 range."

Keep in mind your first rule says you can talk to anything!  Then you have yet another rule that says hey you can talk to anything, just like your first rule.

My point here is you seem to have no idea what these rules actually do and are just clicking and hoping shit works..  I am also confused to your networks.. How exactly are these vlans connected to pfsense?  Do you have managed switch?  Is this managed switch different than the for cisco?  You have these vlans on networks that are not private.. 172.60 and 172.50 - you can not just use public IP space you pull out of thin air??  Private space for 172 is 172.16-31  Is this what you wanted to use?  Pretty sure you don't own 172.50 and 60  since those are owned by t-mobile

Why did you put a gateway on pfsense LAN?  This turns it into a WAN interface - which your prob natting now, etc. etc..  And then if we look at your lan rules

"Current network setup range: 10.0.10.0/23 with every pc connected to a cisco router with gateway 10.0.10.253"

Where is this 10.0.0/23 network exactly???  This is not on pfsense?  Is it another network that hangs off your cisco router I assume?

Then looking at your rules for lan are just as bad as the 50..

How would vlan 50 be a source IP in hitting the lan interface?  Your 2nd rule sends it down your gateway, not sure how that would ever trigger..  Since source traffic from vlan 50 would only be seen on the vlan 50 interface..  Then for vlan 60 again never going to be seen on the lan interface you block it from going everywhere but the wan address of pfsense??  Which is currently down looks like and on a 192.168 network..

So the best I can make out networks you have see attached.

That is not really good way to do it, Do you have nat disabled?  When you put a gateway lan you turned it into a wan which by default would nat.  How does devices on cisco network know how to get to vlans off of pfsense?  How do devices in 10.0.0 know how to get to vlans?  Did you create routes in cisco?  Using a shared leg like that is bad idea.. Why would that be LAN in pfsense??  And it wouldn't have a gateway..

See the 2nd drawing to how you should do this..

Use a transit network /30 is fine.  cisco can be .1 and pfsense can be .2 in that network.
There is NO gateway on this pfsense interface..  Call it transit, not LAN.. That is just confusing.
Fix your network for vlan 50 and 60 so they are actual rfc1918 space, unless you are tmobile?? ;)

NetRange:      172.32.0.0 - 172.63.255.255
CIDR:          172.32.0.0/11
Organization:  T-Mobile USA, Inc. (TMOBI)
RegDate:        2012-09-18
Updated:        2012-09-18
Ref:            http://whois.arin.net/rest/net/NET-172-32-0-0-1

Then create routes on pfsense, hey you want to get to 10.0.0/23 or 10.0.10/23 or you could make it simple and say 10/8 talk to 172.16.0.1 (cisco transit ip)
On cisco create routes that say if you want to talk to your vlan networks talk to 172.16.0.2 (pfsense IP in the transit network)  Or could use just 172.16/12 as well

As to rules on your transit.. Do want to block cisco networks from talking to your vlans?  If so put the appropriate rules here..  If you state what you want to allow or block, etc. can give you the rules.
As to rules on your vlans..  Do you want them to block talking to anything over at cisco??  If so correct rules.. More than happy to help if you want.
I would suggest any any until you have connectivity working, then you can lock stuff down.

Also understanding how this is all connected at layer 2 would help.. ARe you using 1 managed switch??  Are there multiple switches involved?  With the mess that was your attempt at firewall rules, I have very little confidence that your actually doing vlans correctly..

conehead

hi,
Thanks for your response but the vlans are correct and have everything running on another pfsense box with a slightly different config … i shoud have removed the rules under the any any .... i know these dont make sense .... that is why there is any any at the beginning for testing purpuses .....
But with the any any rule on every interface i should be able to ping the other vlan interfaces .... but i will check your screenshots

vlan 50:

Then you create a rule that says can not talk to rfc1918, all of your networks are rfc1918??  So you don't want vlan 50 to your other networks?

I just want vlan 50 to connect to a few things and the internet, all the rest of the local networks are indeed blocked .... the just need a connection to 5 ip's and thats it so i allow only a few servers and the rest of rfc ...  is blocked ....

my real problem is how to configure the special gateway on the other switch since i created the second gateway on the lan interface, how do i put this special interface in my rules ...

conehead

Hi,

Everything worked as expected after changing my vlan 50 (172…...) to 192.0... But i am still not able to ping my clients behind the lan from vlan 50. I tried several options and in attachement the current rules (just allowed everything on lan ... was different before but still no go).
I got everything working on sophos basic firewall after 15 minutes but i prefer to use pfsense ... (after adding rule under masqerading)

Current situation:

from vlan 50: i can ping 10.0.10.247 (lan ip pfsense)
pfsense can ping everything on the lan side (10.0.10.0/23) from his lan interface
unable to reach something in the 10.0.10.0/23 range from vlan 50 (192.168.50.0 /24)  ( and i am unable to change any config on the other routers)

see screens for details


conehead

I've got everything working after adding some rules to nat ….